PHP-说明我的SSO身份验证所需的步骤

Question

I have built a lot of internal applications at my company. And my programming is on the the database/app level. Most of my applications have been using the same login/authentication class for years. However, said company wants everything going through their SSO authentication application. They have sent me their SSO application URL, the fields names they are passing, my sites actionURL, and my appKey.

All of my applications are on the same domain. I understand that I can set cookies to work on entire domain and have that set. Right now I am a bit stuck because I wrote some very simple test code. It is taking users to the SSO server and authenticating and sending the back over to my actionURL which is just my root of my domain.

So I am trying to request a URL that is behind my code, it shows that I need to be authenticated, passes me to the SSO app, and then I get passed back to my actionURL. What do I need on my actionURL to allow me to navigate through my apps.

Current code:

session_start();

if ($_POST && isset($_POST['digest']))       
{
    $digest = $_POST["digest"];
    // set the session variables ...

    $_SESSION['username'] = $_POST["firstname"]." ".$_POST["lastname"];
    $_SESSION['firstname'] = $_POST["firstname"];
    $_SESSION['lastname'] = $_POST["lastname"];
    $_SESSION['email'] = $_POST["email"];
    $_SESSION['uid'] = $_POST["uid"];


    // Needed for key
    $uid = $_POST["uid"];
    $time = $_POST["time"];

    // Read the property file with the key and URL  so this won't go into the main code ...
    // this sets $appKey and $safeurl

    require_once("safe_login_properties.php");

    $mykey = "".$uid.$time.$appKey;
    $mydigest = md5($mykey);



    if ($debugthis)    // enable this for some debugging
    {
        $fp = fopen("DebugInfo.txt", "a");
        fprintf($fp, "%s\n", date("H:i:s"));

        foreach($_POST as $p => $v)
        {
            fprintf($fp, "POST: %s: %s\n", $p, $v);
        }
        foreach($_SESSION as $p => $v)
        {
            fprintf($fp, "SESSION: %s: %s\n", $p, $v);
        }

        fprintf($fp, "mykey: %s (uid: %s, time %s, key %s)\n", $mykey, $uid, $time, $appKey);
        fprintf($fp, "posted digest: %s\n", $digest);
        fprintf($fp, "mydigest: %s\n", $mydigest);

        if ($digest == $mydigest)
            fprintf($fp, "Digest match\n");
        else
            fprintf($fp, "***** digest does not match\n");
        fclose($fp);
    }

    if ($digest != $mydigest)
    {
       die("Invalid login - expected digest does not match");
    }

}

if (!isset($_SESSION['username']) || empty($_SESSION['username']))
{
    // Read the property file with the key and URL  so this won't go into the main code ...
    // this sets $appKey and $safeurl
    require_once("safe_login.php");
    header("Location: ".$safeurl);
}

Additional info - All of my applications are mysql and php based. So I need to bring my mysql piece into it. I need something that says yes you are authorized, your username was passed over, and now we will look you up in the mysql database and use your corresponding row for rights/access. Does that make sense? Trying to write that part right now.

Answer 1

In your case, there has to be a mapping between the users in your MySQL db and the SSO server. A simple one would be an email address. A better one would be a GUID - globally unique ID. Whetever it is, the SSO server should pass a unique ID identifying the user when it calls your actionURL ( in SSO terms... your callback url).

Once you get the unique ID, retrieve the user from your MySQL DB using that ID. If he exists, log him in.

Normally, the SSO server will create a cookie which your applications can see. This should indicate if your user is logged in or not ( so you don't have to keep going back to the Server to authenticate a user).

HTH